Land rapid7#6409, Add auxiliary/scanner/redis/redis_login

wchen-r7 · wchen-r7 · commit df3427416e63 · 2016-03-31T17:20:30.000-05:00
This also changes:

* The Msf::Auxiliary::Redis for the naming &amp; PASSWORD datastore option
* auxiliary/scanner/redis/redis_server module name
* Removes auxiliary/scanner/misc/redis_server, because it was
  deprecated.
diff --git a/lib/metasploit/framework/login_scanner/redis.rb b/lib/metasploit/framework/login_scanner/redis.rb
@@ -0,0 +1,91 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with REDIS.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+
+      class Redis
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 6379
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'redis' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method can create redis command which can be read by redis server
+        def redis_proto(command_parts)
+          return if command_parts.blank?
+          command = "*#{command_parts.length}\r\n"
+          command_parts.each do |p|
+            command << "$#{p.length}\r\n#{p}\r\n"
+          end
+          command
+        end
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: 'redis'
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock], nil, nil, 0.4)
+
+            command = redis_proto(['AUTH', "#{credential.private}"])
+            sock.put(command)
+            result_options[:proof] = sock.get_once
+
+            # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
+            # Invalid password - ( -ERR invalid password\r\n )
+            # Valid password   - (+OK\r\n)
+
+            if result_options[:proof] && result_options[:proof] =~ /but no password is set/i
+              result_options[:status] = Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+            elsif result_options[:proof] && result_options[:proof] =~ /^-ERR invalid password/i
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            elsif result_options[:proof] && result_options[:proof][/^\+OK/]
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
+            result_options.merge!(
+              proof: e,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+          disconnect if self.sock
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout  ||= 30
+          self.port                ||= DEFAULT_PORT
+          self.max_send_size       ||= 0
+          self.send_delay          ||= 0
+        end
+      end
+    end
+  end
+end
diff --git a/lib/msf/core/auxiliary/redis.rb b/lib/msf/core/auxiliary/redis.rb
@@ -20,7 +20,7 @@ def initialize(info = {})
       register_options(
         [
           Opt::RPORT(6379),
-          OptString.new('Password', [false, 'Redis password for authentication test', 'foobared'])
+          OptString.new('PASSWORD', [false, 'Redis password for authentication test', 'foobared'])
         ]
       )
 
@@ -54,7 +54,7 @@ def redis_command(*commands)
       if /(?<auth_response>ERR operation not permitted|NOAUTH Authentication required)/i =~ command_response
         fail_with(::Msf::Module::Failure::BadConfig, "#{peer} requires authentication but Password unset") unless datastore['Password']
         vprint_status("Requires authentication (#{printable_redis_response(auth_response, false)})")
-        if (auth_response = send_redis_command('AUTH', datastore['Password']))
+        if (auth_response = send_redis_command('AUTH', datastore['PASSWORD']))
           unless auth_response =~ /\+OK/
             vprint_error("Authentication failure: #{printable_redis_response(auth_response)}")
             return
diff --git a/modules/auxiliary/scanner/misc/redis_server.rb b/modules/auxiliary/scanner/misc/redis_server.rb
diff --git a/modules/auxiliary/scanner/redis/redis_login.rb b/modules/auxiliary/scanner/redis/redis_login.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'metasploit/framework/login_scanner/redis'
+require 'metasploit/framework/credential_collection'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Redis
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'         => 'Redis Login Utility',
+        'Description'  => 'This module attempts to authenticate to an REDIS service.',
+        'Author'       => [ 'Nixawk' ],
+        'References'   => [
+          ['URL', 'http://redis.io/topics/protocol']
+        ],
+        'License'      => MSF_LICENSE))
+
+    register_options(
+      [
+        OptPath.new('PASS_FILE',
+          [
+            false,
+            'The file that contains a list of of probable passwords.',
+            File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
+          ])
+      ], self.class)
+
+    # redis does not have an username, there's only password
+    deregister_options('USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS', 'DB_ALL_CREDS')
+  end
+
+  def run_host(ip)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      # The LoginScanner API refuses to run if there's no username, so we give it a fake one.
+      # But we will not be reporting this to the database.
+      username: 'redis'
+    )
+
+    cred_collection = prepend_db_passwords(cred_collection)
+
+    scanner = Metasploit::Framework::LoginScanner::Redis.new(
+      host: ip,
+      port: rport,
+      proxies: datastore['PROXIES'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 30
+    )
+
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+        module_fullname: self.fullname,
+        workspace_id: myworkspace_id
+      )
+
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        credential_data.delete(:username) # This service uses no username
+        credential_core = create_credential(credential_data)
+        credential_data[:core] = credential_core
+        create_credential_login(credential_data)
+
+        if datastore['VERBOSE']
+          vprint_good "#{peer} - LOGIN SUCCESSFUL: #{result.credential} (#{result.status}: #{result.proof})"
+        else
+          print_good "#{peer} - LOGIN SUCCESSFUL: #{result.credential}"
+        end
+      when Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+        vprint_error "#{peer} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+        break
+      else
+        invalidate_login(credential_data)
+        vprint_error "#{peer} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+      end
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/redis/redis_server.rb b/modules/auxiliary/scanner/redis/redis_server.rb
@@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'         => 'Redis Scanner',
+      'Name'         => 'Redis Command Execute Scanner',
       'Description'  => %q(
         This module locates Redis endpoints by attempting to run a specified
         Redis command.

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ def initialize(info = {})`
`20`	`20`	`register_options(`
`21`	`21`	`[`
`22`	`22`	`Opt::RPORT(6379),`
`23`		`- OptString.new('Password', [false, 'Redis password for authentication test', 'foobared'])`
	`23`	`+ OptString.new('PASSWORD', [false, 'Redis password for authentication test', 'foobared'])`
`24`	`24`	`]`
`25`	`25`	`)`
`26`	`26`
`@@ -54,7 +54,7 @@ def redis_command(*commands)`
`54`	`54`	`if /(?<auth_response>ERR operation not permitted\|NOAUTH Authentication required)/i =~ command_response`
`55`	`55`	`fail_with(::Msf::Module::Failure::BadConfig, "#{peer} requires authentication but Password unset") unless datastore['Password']`
`56`	`56`	`vprint_status("Requires authentication (#{printable_redis_response(auth_response, false)})")`
`57`		`- if (auth_response = send_redis_command('AUTH', datastore['Password']))`
	`57`	`+ if (auth_response = send_redis_command('AUTH', datastore['PASSWORD']))`
`58`	`58`	`unless auth_response =~ /\+OK/`
`59`	`59`	`vprint_error("Authentication failure: #{printable_redis_response(auth_response)}")`
`60`	`60`	`return`